AWS Suspect Public EC2 Change

View all detections
AWS Suspect Public EC2 Change


  • After enumerating the existing security group policies, the ingress policy for an EC2 instance is modified.

Possible Root Causes

  • An attacker is enabling external access to an EC2 instance to maintain persistence.
  • An EC2 instance is exposed to external access as a part of its normal operation.

Business Impact

  • Once an adversary achieves persistent access, they’ve established the opportunity to stage subsequent phases of an attack.

Steps to Verify

  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.